DDoS attack is launched from 162,000 WordPress sites

With some old-fashioned trickery, hackers were able to get more than 162,000 legitimate WordPress-powered Web sites to mount a distributed-denial-of-service attack against another Web site, security researchers said Monday.

Security firm Sucuri said hackers leveraged a well-known flaw in WordPress that allows an attack to be amplified by harnessing unsuspecting Web sites. It's unclear which site was the victim of the cyberattack but Sucuri said it was a "popular WordPress site" that went down for many hours.

"It was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second to their server," Sucuri chief technology officer Daniel Cid said in a blog post. "All queries had a random value (like "?4137049=643182?) that bypassed their cache and force a full page reload every single time. It was killing their server pretty quickly."

While hundreds of requests per second don't seem that big when looking at other recent DDoS attacks -- like the ones against Namecheap and a CloudFlare customer last month that reached volumes from 100 gigabits per second to 400 gigabits per second -- Cid said this attack is still remarkable since it could have originated from just one person.

"Can you see how powerful it can be?" he wrote. "One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows."